Cleaning up an old PC

shimmershelly

Hi, I wonder if someone could take a look at a Hijack This log for me.
This is our old computer and hasn't been online for 3 years but I recently managed to connect with a network adaptor and would like to be able to use it for a spare. Unfortunately in the days when it was the main PC I wasn't very security concious, and after installing AVG, it picked up 37 threats, 18 of which were Trojans and one worm. I have since run MBAM twice, the second time only one threat was found and quarentined, I have also run spybot and ccleaner and cleaned up what they found.
I don't know what I am looking for with Hijack This so any help would be appreciated. Are we nearly there in getting the poor old thing clean?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:29, on 10/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\SHELLY\My Documents\antivirus etc\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://btbroadbandstart.bt.com/main.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - !!02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - !!3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - !!53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1614895754-1647877149-839522115-1015\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Pompey Blues 2')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm398
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Packard Bell - !!1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: !!00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: !!15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MusicAccess/ie/bridge-c8.cab
O16 - DPF: !!1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/bt/yregucfg.cab
O16 - DPF: !!4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: !!6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231337368870
O16 - DPF: !!71057C18-0507-4747-86BC-E11CE7512C5F} - http://register.btinternet.com/templates/btmailcontrol013.cab
O16 - DPF: !!77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: !!8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {D7E84AF2-BF0A-4922-A077-60CFFF0F2E62} (TSRChat Control) - http://www.sims2.thesimsresource.com/TSRChat.cab
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/activex/InfosFinder2.CAB
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} - http://www5.incredimail.com/contents/setup/downloader_sp1/imloader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O24 - Desktop Component 0: (no name) - http://images.picsearch.com/is?397669889604
O24 - Desktop Component 1: (no name) - http://thesims2.ea.com/images/getcoolstuff/wallpaper_6_1024.jpg
O24 - Desktop Component 2: (no name) - http://thesims2.ea.com/images/getcoolstuff/wallpaper_3_1280.jpg
O24 - Desktop Component 3: (no name) - http://thesims2.ea.com/images/getcoolstuff/wallpaper_6_800.jpg
--
End of file - 8194 bytes

aliEnRIK

Did you run malwarebytes on a FULL scan? If not UPDATE and run a full one

aliEnRIK

AVG8 will slow it down even further. Id recommend uninstalling it ~
http://www.avg.com/download-tools
reboot
Download and install AVIRA
http://www.free-av.com/

FIX these using hijack ~
O2 - BHO: (no name) - !!02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm398
O16 - DPF: !!77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe

aliEnRIK

Open spybot, UPDATE and IMMUNISE (must read zero)
Then SCAN with it

shimmershelly

I did MBAM on full scan in safe mode after updating, will redo spybot scan. Thanks for taking a look.

aliEnRIK

Again i recommend uninstalling AVG. Avira will almost certainly find more.

shimmershelly

Ok, I'll get onto that too. Thanks again

Reluctant_spender

shimmershelly wrote: »

I did MBAM on full scan in safe mode after updating, will redo spybot scan. Thanks for taking a look.

MBAM works best in normal mode.

want2bmortgage3

run all the windows updates as you need these in combination with antivirus and anti-spyware software. once all updates are done, then make sure you install virus s/w such as avg or avast and also windows defender or similar, make sure you do all the program updates.

then reboot in safe mode (press f8 before the windows screen appears) and run full scans with both anti virus/spyware programs. in safe mode theres more chance the software can remove the viruses etc.

also to speed up the computer, remove unnecesary programs from starting up every time windows loads. some are in the start menu under startup, but most are found in msconfig. click start > run type "msconfig" , click startup and remove all ticks apart from important programs like antivirus.

finally i would recommend adding a new user to create a 'clean' profile in window, do this via the control panel > users.move any date you need from old to new profiles then delete the old one. hope some of that helps.

aliEnRIK

shimmershelly wrote: »

Ok, I'll get onto that too. Thanks again

by you using the term 'too' it makes it sound like your going to install BOTH?
Dont do that whatever you do, its possible your computer wont work at all for starters!

shimmershelly

Not at all, I uninstalled AVG (using the tool you linked to), and installed Avira. It did pick up a couple of extra threats, I've got rid of now. I have also followed the other advice you gave re spybot and Hijack This, and defragged after (it really needed that lol!).
I keep my main PC and my daughters laptop clean, it was just this one was so old all the nasties got onto it years ago when I didn't realise how important it was to scan regularly.

I had already done all the windows updates (although strangely SP3 doesn't seem to want to install) and cleaned up programmes we don't use anymore. I use ccleaner to sort out start up programmes so it's actually not running slowly at all (considering it's carp specs!)
Do you want me to post another HT log or do you think we are done?
Thanks again